标识一个占位符,向占位符输入参数,mybatis自动进行java类型和jdbc类型的转换,程序员不需要考虑参数的类型,比如传入字符串,mybatis最终拼接好的sql就是参数两边加单引号
${}:
标识sql的拼接,通过${}接收参数,将参数的内容不加任何修饰拼接在sql中。
<select id="findUserById" parameterType="java.util.Map" resultType="java.util.Map">
select * from user where id = #{id}
</select>
实际的sql语句是 select * from user where id = '1'
<select id="findUserById" parameterType="java.util.Map" resultType="java.util.Map">
select * from user order by ${columName}
</select>
实际的sql语句是 select * from user order by id
注意:like中使用${}
<select id="findUserById" parameterType="java.util.Map" resultType="java.util.Map">
select * from user where username like '%S{value}%'
</select>
这样会造成sql的注入问题
可以写成这样
<select id="findUserById" parameterType="java.util.Map" resultType="java.util.Map">
select * from user where username like CONCAT('%',#{username},'%')
</select>